Using Values to Transform the Global Culture of Security

Businesses around the globe have transitioned to digitally-focused operating models and in today’s age, data is now our most valuable business asset. According to the CapGemini EMC Big Data report, 63% of the respondents considered that the monetization of the data could eventually become as valuable to their organizations as their existing products and services (4). Through the collection and analysis of this data, companies aim for increased efficiency, reduced waste, and increased profits (8).

Along with this transition to a data-focused business environment have come an increase of cyberattackers looking to make financial gain. The World Economic Forum recently focused on the issue at Davos, highlighting that the cost of cybercrime to firms over the next five years could reach $8 trillion. In addition, the FBI recorded 40,203 cases of business email compromise (BEC) and email account compromise (EAC) around the world between October 2013 and December 2016, resulting in total exposed losses of $5,302,890,448 to businesses, which are only the reported attacks. (3)

“Culture can be divided into three levels that interact together: (1) promoted values, (2) visible behaviors, and (3) the underlying assumptions we hold. An organization’s culture transformation should begin with a change in values, leading to the adoption of new behavior.” (1)

This is an excellent statement as it gives a trajectory on how to modify the current company culture towards a culture where the best practices of security are used effectively and without second thought.

CORE VALUES OF THE BIGGEST BREACHES

If we look at the core values for some of the biggest breaches in history, namely Yahoo and Target, we will see that neither of their core values remotely touch on security or safe online practices. This is disturbing as “the costs of these breaches are often paid by an organization’s users in some form or another rather than the organization itself.” (11) Although this can be argued and there are heavy sanctions and fines placed on these companies at time for negligence, at the end of the day, it is the customers’ data that is now exposed. Taking a look at the core value statements from these two companies:

WHAT ARE CORE VALUES

Core values define a company’s “operating instructions” with the goal of educating and encouraging the day-to-day behaviors of everyone who works at the company. They represent the organization’s driving forces and highest priorities. These values shape the foundation for what happens in the workplace and sets the stage for the organization’s corporate culture, defining how your employees relate to clients, customers, and vendors.

And while there are handfuls of security firms that have security and/or confidentiality in their value statements, outside of the security realm, there do not appear to be many.

TYPES OF VALUES

Different types of values exist and should be evaluated to see how aligned they are with where your corporations true current standing is, and where you want it to go. Often, companies will include aspirational values when defining their core value statements, stating what they wish their value system to be, but not where it stands today. It is important to note that values are different than goals, wherein “values provide a general rationale for more specific goals and motivate attainment of goals through particular methods” (9). If the gap is too wide between where your organization currently stands and the value statement proposed, it will not only confuse employees, but loose employee engagement and this dissidence will cause them to reject the imposed value system.

PSYCHOLOGY OF VALUES/VALUE SYSTEMS

What are values, and how are they formed? Values are the priorities that one holds that drives their internal compass and guides their implicit or explicit actions and behaviors. These values then become norms when they mandate a specific course of action, and these norms reciprocally strengthen the commitments to the proposed values.

Values are bound together to form a system, and when “a new value is acquired or an old one is lost, when a value is weakening (lowering) or strengthening (rising), the whole system will be affected.” (9)These values tend to take a hierarchical approach and as the research by Shalom Schwartz has found, our values typically show up in clusters or groups, as shown in the illustration below (12):

The more ingrained and deeply rooted a particular value is, “the more it takes a central place in the system and the more it is lived intensely, arouses emotions, and mobilizes vehement energies.” (9) Values can be looked at from two perspectives, at the individual level and at the group level.

INDIVIDUAL VALUES

At the individual level, “values are internalized social representations or moral beliefs that people appeal to as the ultimate rationale for their actions.” (9) These values help the individual to self-regulate, bringing them inline with their internalized sociocultural goals, and keeping them out of conflict with the needs of the group. These values are acquired as part of the socialization process through family, groups and general society, and are relatively fixed over time. As research done by Dr. Daphna Oyserman states:

“Indeed, values that are individually endorsed and highly accessible to the individual do predict that individual’s behavior. Conversely, even personally endorsed values won’t influence action when they are not made salient to the individual at the time of action. Moreover, in any given situation more than one personally endorsed value may apply, and the behavioral choice appropriate for one value may conflict with the behavioral choice appropriate to another value.” (9)

This is where the hierarchical aspect of values come in, wherein an individual will behave in line with the value that believe is more significant than the other.

GROUP VALUES

At the group level, values are common held cultural beliefs held by common members of a group (9). These values form the social glue of the group and when individuals feel a sense of allegiance, the values are reinforced. Group values can also set the stage for friction within a group, as individual values may conflict with the group’s, causing the individual to either retreat from the group, or realign their values to meet the group’s expectations. These “social agreements” of what is right or wrong, good or bad, required or forbidden, or the degree of importance of something directs the behaviors of the individual members of the group and structures the everyday life choices made.

INTEGRATING A SECURITY VALUE SYSTEM

So how do we go about effective behavioral change that starts at the enterprise and can then spreads through society?

Define how your company uses its data assets.

Be specific, think about your business category and how all companies in a given category relate to security of their data

Describe the collective attitudes and beliefs about cybersecurity that you desire all employees to hold while holding true to your company’s personality

Use words that invoke an emotional response

Be unique and differentiated

Translate these attitudes and beliefs into specific actions and decisions employees should make

Tie together how the actions and decisions defined in #3 produce your customer experiences that define and differentiate your brand with their security in mind

RESPONSIBILITY

As core values form the foundation of your organization, there should be no greater champion of these values than the Founder or CEO. This individual’s core security values permeate the workplace and are a are key shapers of the organization’s security culture. This individual, along with a handful of key employees, including the CISO/CIO/CSO, should be held responsible with creating the organization’s core security values. In doing so, they are “imposing a set of fundamental, strategically sound beliefs on a broad group of people” (7) and reaffirming the company’s cultural expectations around cybersecurity. This will allow organizations to asses which employees are able to embrace these values, and which do not, giving greater visibility into the risk factors associated with employees.

MARKETING CORE SECURITY VALUES FROM THE INSIDE OUT

After a company decides on what its core security values are, it should be integrating them every chance they get, from the start of hiring to the last day of work at the company, employees should be constantly reminded that core security values form the basis for every decision the company makes. Furthermore, internal champions of these core security values should be championed as models for the entire organization and further promotion of these values should be integrated at every turn in the company. Executives should take note to repeat these values every chance they get to further solidify them as tenants of the company’s culture.

CONCLUSION

As cyberattacks increase across the digital landscape, we must start the transition to better security hygiene at the enterprise, acknowledging its importance in not only the life of the company, but also the lives of employees. When employees feel like their personal lives are being taken into consideration with these cultural undertakings, they will be more engaged at the workplace and the integration into their own personal value system will take place. Although a challenging road ahead to get everyone on board with security hygiene practices, the heads of global companies have the power to start this process, and watch it trickle down.

Like this:

Related

danielleakingsbury

2Comments

Thank you! This is one of the most useful articles I have ever seen regarding setting the correct “tone at the top” for an organization. Your research and writing are absolutely brilliant.

I often teach executives that cybersecurity is not about explaining the past, it is about improving the future. The values that you describe are what motivates individuals to behave the way they do. I have yet to see a set of cybersecurity policies that viscerally motivates behavior by describing values.

I really appreciate the excellent work that you do, and if there is ever anything I can do to help you please let me know. You are making a difference!

Thank you very much for reading my research and for the supportive note! I am thrilled to hear that you find the proposed objective of the post meaningful and that you see its applicability in how the leaders of our organizations have the power to create real change in the world. There are many who are talking about security culture, but knowing how to get there is key and I hope that this discussion will inspire others as well to create the behavior change that begins in their organization, and flows into the rest of society.

I, in return, really appreciate your encouragement and will be sure to keep in touch as my research develops and we see the progress of our digital age 🙂

Welcome

"To be normal is the ideal aim of the unsuccessful"- Carl Jung

The mission of CyberSecPsych is to take the industry of Cyber Security and data protection out of the computer room and into our living rooms so we can better understand how the industry functions as a whole, where the gaps lie that endanger the protection of society's most critical data, and how we as a community can shape the way we operate in this space. The more voices we have involved, the greater the ability to shape our ever growing technologically driven society.

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.